Search Images Maps Play YouTube News Gmail Drive More »
Sign in
Screen reader users: click this link for accessible mode. Accessible mode has the same essential features but works better with your reader.

Patents

  1. Advanced Patent Search
Publication numberUS8122508 B2
Publication typeGrant
Application numberUS 11/927,424
Publication dateFeb 21, 2012
Filing dateOct 29, 2007
Priority dateJul 13, 2004
Also published asUS7343624, US20070294765, US20080134336, US20120151590
Publication number11927424, 927424, US 8122508 B2, US 8122508B2, US-B2-8122508, US8122508 B2, US8122508B2
InventorsJennifer Rihn, Jonathan J. Oliver
Original AssigneeSonicwall, Inc.
Export CitationBiBTeX, EndNote, RefMan
External Links: USPTO, USPTO Assignment, Espacenet
Analyzing traffic patterns to detect infectious messages
US 8122508 B2
Abstract
Managing electronic messages comprises receiving a message, forwarding the message, determining that the forwarded message is infectious after the message has been forwarded and preventing the infectious forwarded message from spreading.
Images(6)
Previous page
Next page
Claims(9)
What is claimed is:
1. A method of detecting a malicious message in a stream of incoming messages on a network, the method comprising:
establishing a local subnet traffic pattern based on a stream of messages previously sent over the network and received in a local subnet, the local subnet traffic pattern providing a local subnet baseline built from a collection of messages identified as good messages from the stream of messages previously received in the local subnet;
establishing a threshold describing a range of expected deviation from the local subnet baseline;
collecting data regarding an incoming message at a time of receipt of the incoming message, the incoming message received in the local subnet;
calculating a probability that the incoming message is malicious based on the collected data from the incoming message, the probability indicating a deviation of the collected data from the established local subnet baseline;
identifying a traffic pattern variable associated with traffic streams on the network at the time of receipt of the incoming message, wherein the traffic pattern variable includes information regarding a local traffic pattern of a different local subnet; and
classifying the incoming message as malicious based on the identified traffic pattern variable and the calculated probability that the incoming message is malicious exceeding the established threshold.
2. The method of claim 1, wherein the traffic pattern variable includes information regarding a global traffic pattern.
3. The method of claim 1, wherein calculating the probability that the incoming message is malicious includes associating a probability with token sequences in the incoming message.
4. The method of claim 1, in which the collected data includes information regarding a file type of an attachment to the message.
5. The method of claim 1, wherein calculating the probability that the incoming message is malicious includes evaluating a traffic pattern associated with previously received messages having similar probabilities of being malicious.
6. The method of claim 1, wherein calculating the probability that the incoming message is malicious includes evaluating a traffic pattern associated with previously received messages having similar collected data.
7. The method of claim 1, wherein calculating the probability that the incoming message is malicious includes evaluating a traffic pattern associated with previously received messages having similar times of receipt.
8. The method of claim 1, wherein calculating the probability that the incoming message is malicious includes evaluating a traffic pattern associated with previously received messages having similar traffic pattern variables.
9. A non-transitory computer-readable storage medium having embodied thereon a program, the program being executable by a processor to perform a method of detecting a malicious message in a stream of incoming messages, the method comprising:
establishing a local subnet traffic pattern based on a stream of messages previously received by a local subnet, the local subnet traffic pattern providing a local subnet baseline built from a collection of messages identified as good messages from the stream of messages previously received by the local subnet;
establishing a threshold describing a range of expected deviation from the local subnet baseline;
collecting data regarding an incoming message at a time of receipt of the incoming message, the incoming message received by the local subnet;
calculating a probability that the incoming message is malicious based on the collected data from the incoming message, the probability indicating a deviation of the collected data from the established local subnet baseline;
identifying a traffic pattern variable associated with traffic streams on a network at the time of receipt of the message, wherein the traffic pattern variable includes information regarding a local traffic pattern of a different local subnet; and
classifying the incoming message as malicious based on the identified traffic pattern variable and the calculated probability that the incoming message is malicious exceeding the established threshold.
Description
CROSS REFERENCE TO OTHER APPLICATIONS

This application is a continuation of U.S. patent application Ser. No. 11/156,373 entitled “Managing Infectious Messages as Identified by an Attachment” filed on Jun. 16, 2005, now U.S. Pat. No. 7,343,624, which claims priority to U.S. Provisional Patent Application No. 60/587,839 entitled “Detecting Malicious Message on Day Zero” filed on Jul. 13, 2004, which is incorporated herein by reference for all purposes.

BACKGROUND OF THE INVENTION

Computer viruses and worms are often transmitted via electronic messages. An infectious message usually comes in the form of an e-mail with a file attachment, although other forms of infection are possible. Attackers have exploited many protocols that exchange electronic information, including email, instant messaging, SQL protocols, Hyper Text Transfer Protocols (HTTP), Lightweight Directory Access Protocol (LDAP), File Transfer Protocol (FTP), telnet, etc. When the attachment is opened, the virus executes. Sometimes the virus is launched through a link provided in the email. Virus or worm attacks can cause considerable damage to organizations. Thus, many anti-virus solutions have been developed to identify viruses and prevent further damage. Currently, most anti-virus products use virus signatures based on known viruses for identification. Such systems, however, often do not protect the network effectively during the time window between a virus' first appearance and the deployment of its signature. Networks are particularly vulnerable during this time window, which is referred to as “time zero” or “day zero”. For a typical anti-virus system to function effectively, it usually requires viruses to be identified, their signatures developed and deployed. Even after the system adapts after an outbreak, time zero threat can sometimes re-immerge as the virus mutates, rendering the old signature obsolete.

One approach to time zero virus detection is to use a content filter to identify and quarantine any message with a potentially executable attachment. This approach is cumbersome because it could incorrectly flag attachments in Word, Excel and other frequently used document formats even if the attachments are harmless, resulting in high rate of misidentification (also referred to as false positives). Furthermore, the approach may not be affective if the virus author disguises the nature of the attachment. For example, some virus messages ask the recipients to rename a .txt file as .exe and then click on it. Sometimes the virus author exploits files that were not previously thought to be executable, such as JPEG files. Therefore, it would be useful to have a better time zero detection technique. It would also be desirable if the technique could detect viruses more accurately and generate fewer false positives.

BRIEF DESCRIPTION OF THE DRAWINGS

Various embodiments of the invention are disclosed in the following detailed description and the accompanying drawings.

FIG. 1 is a system diagram illustrating an embodiment of a message delivery system.

FIG. 2 is a flowchart illustrating a process embodiment for detecting infectious messages.

FIG. 3 is a flowchart illustrating the implementation of the individual message analysis according to some embodiments.

FIG. 4 is a flowchart illustrating an embodiment of traffic analysis.

FIG. 5 is a flowchart illustrating another embodiment of traffic analysis.

DETAILED DESCRIPTION

The invention can be implemented in numerous ways, including as a process, an apparatus, a system, a composition of matter, a computer readable medium such as a computer readable storage medium or a computer network wherein program instructions are sent over optical or electronic communication links. In this specification, these implementations, or any other form that the invention may take, may be referred to as techniques. A component such as a processor or memory described as being configured to perform a task includes both a general component that is temporarily configured to perform the task at a given time or a specific component that is manufactured to perform the task. In general, the order of the steps of disclosed processes may be altered within the scope of the invention.

A detailed description of one or more embodiments of the invention is provided below along with accompanying figures that illustrate the principles of the invention. The invention is described in connection with such embodiments, but the invention is not limited to any embodiment. The scope of the invention is limited only by the claims and the invention encompasses numerous alternatives, modifications and equivalents. Numerous specific details are set forth in the following description in order to provide a thorough understanding of the invention. These details are provided for the purpose of example and the invention may be practiced according to the claims without some or all of these specific details. For the purpose of clarity, technical material that is known in the technical fields related to the invention has not been described in detail so that the invention is not unnecessarily obscured.

Detecting infectious messages is disclosed. Analysis of individual characteristics of messages is performed in some embodiments to determine whether the message is suspicious. If a message is deemed suspicious, it is determined whether a similar message has been noted previously as possibly suspicious. If a similar message has been previously noted, the message is classified according to its individual characteristics and its similarity to the noted message. In some embodiments, if a message that was forwarded is later found to be infectious, the infectious message is reported to human or machine agents for appropriate action to take place.

FIG. 1 is a system diagram illustrating an embodiment of a message delivery system. In this example, message forwarding device 102 may be implemented as a mail server or gateway or other appropriate device. The message forwarding device is configured to forward messages received on its input interface. As used herein, forwarding includes sending a message to email servers or gateways, networking devices, email clients of individual recipients, or any other appropriate locations in the message's path of flow. Some of the messages to be forwarded may be infectious (i.e. containing viruses, worms or other items that may cause unwanted behavior on the recipient's device and/or the network). In this example, an infectious message detection mechanism 104 cooperates with the message forwarding device to identify the virus and prevents infectious messages from further spreading. In some embodiments, the virus detection mechanism is implemented as software, firmware, specialized hardware or any other appropriate techniques on the message forwarding device. In some embodiments, the detection mechanism is implemented on a separate device.

FIG. 2 is a flowchart illustrating a process embodiment for detecting infectious messages. Process 200 may be implemented on a message forwarding device, a standalone device, or as a part of another network monitoring/security device for any other appropriate device systems. In this example, an individual message analysis is performed initially (202). As will be shown in more details below, the individual message analysis evaluates the intrinsic characteristics of the message, determines the probability of the message being infectious, and classifies the message. In some embodiments, the message is classified as legitimate, suspicious or infectious based on the probability. The message is determined to be legitimate if the probability is below a legitimate threshold, infectious if the probability exceeds an infectious threshold, and suspicious if the probability is somewhere between the two thresholds. Other evaluations and classification techniques are used in different embodiments.

In the process shown, if a message is determined to be legitimate, the message is forwarded to the appropriate recipient (204). If the message is determined to be infectious, the message is treated as appropriate (206). In some embodiments, the message is quarantined or deleted from the delivery queue. If a message is deemed to be suspicious, a traffic analysis is performed on the suspicious message (208). The traffic analysis identifies any traffic spike in the e-mail message stream that is consistent with the pattern of a virus outbreak. Details of the traffic analysis are described below. In this example, analysis of a message in the context of all message traffic yields another probability of the message being infectious, and classifies the suspicious message as either legitimate or infectious according to the probability. Legitimate messages are processed normally and forwarded to their destinations (204). Infectious messages are treated appropriately (206). Other classifications are also possible. The order of the analyses may be different in some implementations and some embodiments perform the analysis in parallel. In some embodiments, each analysis is performed independently.

FIG. 3 is a flowchart illustrating the implementation of the individual message analysis according to some embodiments. In this example, process 202 initiates when a message is received (302). The message is then submitted to a plurality of tests configured to examine the characteristics of the message and detect any anomalies. After each test, the probability of the message being infectious is updated according to the test result (318). In some embodiments, the weight of different test results in calculating the probability may vary.

It is then determined whether the probability exceeds the threshold for the message to be deemed infectious (320). If so, the message is considered infectious and may be quarantined, deleted from send queue, or otherwise appropriately handled. If, however, the probability does not exceed the threshold, it is determined whether more tests are available (322). If so, the next available test is applied and the process of updating probability and testing for threshold is repeated. If no more tests are available, the probability is compared to the threshold required for a legitimate message (324). If the probability exceeds the legitimate threshold, the message is deemed to be suspicious. Otherwise, the tests indicate that the message is legitimate. The classification of the message is passed on to the next routine. According to process 200, depending on whether the message is legitimate, suspicious or infectious, the next routine may forward the message, perform traffic analysis on the message, or treat the message as infectious.

Examples of the tests used in the individual message analysis include signature matching tests (304), file name tests (306), character tests (308), bit pattern tests (310), N-gram tests (312), bit pattern test (314), and probabilistic finite state automata (PFSA) tests (316). The tests may be arranged in any appropriate order. Some tests maybe omitted and different tests may be used.

Some of the tests analyze the intrinsic characteristics of the message and/or its attachments. In the embodiments shown, the signature matching test (304) compares the signature of the message with the signatures of known viruses. The test in some embodiments generates a probability on a sliding scale, where an exact match leads to a probability of 1, and an inexact match receives a probability value that depends on the degree of similarity.

The file name test (306) examines the name of the attachment and determines if there is anomaly. For example, a file name such as “read me.txt.exe” is highly suspicious since it would appear that the sender is attempting to misrepresent the nature of the executable and pass the file off as a text file.

The character test (308) processes the content of the attachment and determines the possibility that the file maybe an infectious one. Characters that are unusual for the message file type indicate that the attachment has a higher likelihood of being infectious. For example, documents that purport to be text documents and contain many characters more common to an executable could be suspicious. In some embodiments, the character test examines certain portions of the message that is supposed to contain characters and omit the rest to avoid false positives. For example, if a document contains text and pictures, the character test will only process the text portion.

The bit pattern test (310) examines certain portions of the file and determines whether there is anomaly. Many files contain embedded bit patterns that indicate the file type. The magic number or magic sequence is such a bit pattern. For example, an executable file includes a particular bit pattern that indicates to the operating system that the file is an executable. The operating system will execute any file that starts with the magic sequence, regardless of the file extension. If an attachment has an extension such as .txt or .doc that seems to indicate that the file is textual in nature, yet the starting sequence in the file contains the magic sequence of an executable, then there is a high probability that the sender is attempting to disguise an executable as a text document. Therefore, the attachment is highly suspicious.

Some of the tests such as N-gram (312) and PFSA (314) measure the deviation of the received message from a baseline. In this example, the baseline is built from a collection of known good messages. An N-gram model describes the properties of the good messages. The N-gram model is a collection of token sequences and the corresponding probability of each sequence. The tokens can be characters, words or other appropriate entities. The test compares the N-gram model to an incoming message to estimate the probability that a message is legitimate. The probabilities of the N-gram sequences of the incoming messages can be combined with the probabilities of the N-gram sequences of the baseline model using any of several methods. In some embodiments, the N-gram test compares the test result with a certain threshold to determine the legitimacy of a message. In some embodiments, a message deemed legitimate by the N-gram test is not subject to further testing, thus reducing false positive rate. In some embodiments, a message found to be legitimate by the N-gram test is further tested to ascertain its true legitimacy.

In the example shown, the PFSA test (314) relies on a model that is built from a set of known good messages. The model describes the properties of legitimate messages. The model includes a plurality of token such as characters and words, and the probabilities associated with the tokens. The test estimates the probability that a particular message that includes a sequence of tokens can be generated by the model. In some embodiments, similar to the N-gram test, the test result is compared with a certain threshold to determine the legitimacy of a message. In some embodiments, a message deemed legitimate by the PFSA test is not subject to further testing to avoid false positives. In some embodiments, a message found to be legitimate by the PFSA test is further tested to ascertain its true legitimacy.

In some embodiments, information about previously received messages is collected and used to identify an increase in the number of similar and potentially suspicious messages. Messages are clustered to establish a statistical model that can be used to detect similar messages. The data collected may include one or more of the following: time of receipt, the recipients, number of recipients, the sender, size of the attachment, number of attachments, number of executable attachments, file name, file extension, file type according to the starting sequence of the file binary, etc. The characteristics of an incoming message are compared to the model to determine whether similar messages have been noted previously. A traffic spike in similar messages that were previously noted as potentially suspicious indicates the likelihood of a virus outbreak.

In some embodiments, traffic patterns are analyzed on a global network level. In other words, the analysis may monitor all the messages routed through an internet service provider and note the suspicious ones. In some embodiments, the traffic patterns are analyzed locally. For example, messages on a local network or on different subnets of a local network may be analyzed separately. In some embodiments, a combination of global and local analyses is used.

In local traffic analysis, different subnets can have different traffic patterns. For example, within a corporation, the traffic on the engineering department subnet may involve a large number of executables and binary files. Thus, absent other indicators, executables and binary attachments will not always trigger an alarm. In contrast, the traffic pattern of the accounting department may mostly involve text documents and spreadsheets, therefore an increase in binary or executable attachments would indicate a potential outbreak. Tailoring traffic analysis based on local traffic can identify targeted attacks as well as variants of old viruses.

FIG. 4 is a flowchart illustrating an embodiment of traffic analysis. Process 208 may be performed after the individual message analysis as shown in process 200, before the individual message analysis, in combination with other analysis, or independently. Process 208 initiates when a message is received (402). The characteristics of the message are compared to the characteristics of previously stored suspicious messages (404). In some embodiments, the system collects suspicious messages resulting from other tests such as the ones in the individual message analysis shown in FIG. 3.

It is then determined whether the message is similar to the previous stored messages (406). If the message is not similar to any of the previously stored suspicious messages, a low probability of infectiousness is assigned. If, however, the message is similar to previous stored suspicious messages, information associated with the received message is also stored and the statistical model is updated accordingly (408). It is then determined whether the number of such similar and suspicious messages has exceeded a predefined threshold (410). If not, the message is not classified as infectious at this point, although a higher probability may be assigned to it. If the total number of such suspicious messages has exceeded the threshold, it is likely that the message is indeed infectious and should be appropriately treated. For example, consider the case where the threshold number is set to 5, and there are already 4 instances of suspicious messages with executable attachments having the same extension and similar size. When a fifth message arrives with similar sized executable attachments with the same extension, the message will be classified as infectious. By selecting an appropriate threshold value, infectious messages can be detected and prevented without a major outbreak.

Sometimes the system may initially find a message to be legitimate or merely suspicious and forward the message to its destination. Later as more information becomes available, the system may find the message to be infectious. FIG. 5 is a flowchart illustrating another embodiment of traffic analysis. Process 500 may be performed independently or in conjunction with other types of message analyses. In the example shown, a message is received (502). The message is initially determined to be legitimate and forwarded (504). Sometime after the message has been forwarded, the forwarded message is determined to be infectious (506). A message may be found as infectious according to any appropriate message analysis techniques, including those described in this specification. In some embodiments, information pertaining to the forwarded message is optionally stored in memory, on disk or in other forms of storage medium so that it can be used for the analysis. Again, consider the example where the threshold number in the traffic analysis is set to 5 and 4 similar messages have been received. Although these 4 messages are noted as suspicious, because the threshold is not met the messages are still forwarded. The characteristics of the suspicious messages are stored. When a similar fifth message is received, its characteristics are compared to the characteristics of the four previously noted messages. N-gram, PFSA or other appropriate techniques can be used in the comparison. The analysis shows that the number of similar and suspicious messages meets the threshold. Therefore, the fifth message is infectious, as are the four previously noted and forwarded messages.

Once an already forwarded message is deemed infectious, measures are taken to prevent the infectious forwarded message from spreading (508). In the example shown above, the system will take actions to keep the 4 instances of previously forwarded messages from being opened or resent by their recipients. Additionally, the system will not forward the fifth message. In some embodiments, the system reports the finding to the system administrator, the recipient, and/or other users on the network to prevent the previously forwarded infectious messages from further spreading. Warning messages, log messages or other appropriate techniques may be used. In some embodiments, the system generates a cancellation request to a forwarding agent such as the mail server, which will attempt to prevent the messages from being forwarded by deleting them from the send queue, moving the messages into a location to be quarantined or any other appropriate action.

Detecting and managing infectious messages have been disclosed. By performing individual message analysis and/or traffic analysis, infectious messages can be more accurately identified at time zero, and infectious messages that initially escaped detection can be later identified and prevented from further spreading.

Although the foregoing embodiments have been described in some detail for purposes of clarity of understanding, the invention is not limited to the details provided. There are many alternative ways of implementing the invention. The disclosed embodiments are illustrative and not restrictive.

Patent Citations
Cited PatentFiling datePublication dateApplicantTitle
US5319776Sep 29, 1992Jun 7, 1994Hilgraeve CorporationIn transit detection of computer virus with safeguard
US5452442Apr 14, 1995Sep 19, 1995International Business Machines CorporationMethods and apparatus for evaluating and extracting signatures of computer viruses and other undesirable software entities
US5623600Sep 26, 1995Apr 22, 1997Trend Micro, IncorporatedVirus detection and removal apparatus for computer networks
US5826269Jun 21, 1995Oct 20, 1998Microsoft CorporationElectronic mail interface for a network server
US5832208Sep 5, 1996Nov 3, 1998Cheyenne Software International Sales Corp.For use in a computer network
US5889943Mar 29, 1996Mar 30, 1999Trend Micro IncorporatedApparatus and method for electronic mail virus detection and elimination
US5956481Feb 6, 1997Sep 21, 1999Microsoft CorporationMethod and apparatus for protecting data files on a computer from virus infection
US6035423Dec 31, 1997Mar 7, 2000Network Associates, Inc.Method and system for providing automated updating and upgrading of antivirus applications using a computer network
US6112227Aug 6, 1998Aug 29, 2000Heiner; Jeffrey NelsonFilter-in method for reducing junk e-mail
US6144934Sep 18, 1996Nov 7, 2000Secure Computing CorporationBinary filter using pattern recognition
US6199102Aug 26, 1997Mar 6, 2001Christopher Alan CobbMethod and system for filtering electronic messages
US6560632Jul 16, 1999May 6, 2003International Business Machines CorporationSystem and method for managing files in a distributed system using prioritization
US6650890Sep 29, 2000Nov 18, 2003Postini, Inc.Value-added electronic messaging services and transparent implementation thereof using intermediate server
US6701440Jan 6, 2000Mar 2, 2004Networks Associates Technology, Inc.Method and system for protecting a computer using a remote e-mail scanning device
US6732279Jan 16, 2003May 4, 2004Terry George HoffmanAnti-virus protection system and method
US6757830 *Oct 3, 2000Jun 29, 2004Networks Associates Technology, Inc.Detecting unwanted properties in received email messages
US6763462Oct 5, 1999Jul 13, 2004Micron Technology, Inc.E-mail virus detection utility
US6763467Feb 3, 1999Jul 13, 2004Cybersoft, Inc.Network traffic intercepting method and system
US6802012Oct 3, 2000Oct 5, 2004Networks Associates Technology, Inc.Scanning computer files for unwanted properties
US6813712Aug 17, 1999Nov 2, 2004International Business Machines CorporationViral replication detection using a counter virus
US6886099 *Sep 12, 2000Apr 26, 2005Networks Associates Technology, Inc.Computer virus detection
US6892241Sep 28, 2001May 10, 2005Networks Associates Technology, Inc.Anti-virus policy enforcement system and method
US6898715Sep 12, 2000May 24, 2005Networks Associates Technology, Inc.Response to a computer virus outbreak
US6901519Nov 3, 2000May 31, 2005Infobahn, Inc.E-mail virus protection system and method
US6941348Feb 19, 2003Sep 6, 2005Postini, Inc.Systems and methods for managing the transmission of electronic messages through active message date updating
US6941466Feb 22, 2001Sep 6, 2005International Business Machines CorporationMethod and apparatus for providing automatic e-mail filtering based on message semantics, sender's e-mail ID, and user's identity
US6954858Dec 22, 1999Oct 11, 2005Kimberly Joyce WelbornComputer virus avoidance system and mechanism
US6993660 *Dec 10, 2001Jan 31, 2006Mcafee, Inc.System and method for performing efficient computer virus scanning of transient messages using checksums in a distributed computing environment
US7007302Aug 31, 2001Feb 28, 2006Mcafee, Inc.Efficient management and blocking of malicious code and hacking attempts in a network environment
US7010696Jul 26, 2001Mar 7, 2006Mcafee, Inc.Method and apparatus for predicting the incidence of a virus
US7010807Apr 13, 2001Mar 7, 2006Sonicwall, Inc.System and method for network virus protection
US7017187Dec 28, 2000Mar 21, 2006Citigroup Global Markets, Inc.Method and system for file blocking in an electronic messaging system
US7020895Dec 21, 2000Mar 28, 2006F-Secure OyjRemote computer virus scanning
US7043757May 22, 2001May 9, 2006Mci, LlcSystem and method for malicious code detection
US7062553 *Jul 22, 2002Jun 13, 2006Trend Micro, Inc.Virus epidemic damage control system and method for network environment
US7069583Jul 14, 2001Jun 27, 2006Computer Associates Think, Inc.Detection of polymorphic virus code using dataflow analysis
US7124438 *Mar 8, 2002Oct 17, 2006Ciphertrust, Inc.Systems and methods for anomaly detection in patterns of monitored communications
US7159149 *Oct 24, 2002Jan 2, 2007Symantec CorporationHeuristic detection and termination of fast spreading network worm attacks
US7213260Feb 24, 2003May 1, 2007Secure Computing CorporationSystems and methods for upstream threat pushback
US7257842 *Jul 21, 2003Aug 14, 2007Mcafee, Inc.Pre-approval of computer files during a malware detection
US7263561 *Aug 24, 2001Aug 28, 2007Mcafee, Inc.Systems and methods for making electronic files that have been converted to a safe format available for viewing by an intended recipient
US7299361Jan 12, 2004Nov 20, 2007Mcafee, Inc.Remote e-mail scanning system and method
US7310816Jan 27, 2000Dec 18, 2007Dale BurnsSystem and method for email screening
US7360246Sep 26, 2003Apr 15, 2008International Business Machines CorporationCommunications monitoring, processing and intrusion detection
US7458094 *Jun 6, 2001Nov 25, 2008Science Applications International CorporationIntrusion prevention system
US7509679 *Jan 30, 2004Mar 24, 2009Symantec CorporationMethod, system and computer program product for security in a global computer network transaction
US7647321Apr 26, 2004Jan 12, 2010Google Inc.System and method for filtering electronic messages using business heuristics
US20010005889 *Dec 21, 2000Jun 28, 2001F-Secure OyjRemote computer virus scanning
US20020004908Mar 20, 2001Jan 10, 2002Nicholas Paul Andrew GaleaElectronic mail message anti-virus system and method
US20020091940Jan 5, 2001Jul 11, 2002Welborn Christopher MichaelE-mail user behavior modification system and mechanism for computer virus avoidance
US20020116639Feb 21, 2001Aug 22, 2002International Business Machines CorporationMethod and apparatus for providing a business service for the detection, notification, and elimination of computer viruses
US20020129277Mar 12, 2001Sep 12, 2002Caccavale Frank S.Using a virus checker in one file server to check for viruses in another file server
US20020147780Apr 9, 2001Oct 10, 2002Liu James Y.Method and system for scanning electronic mail to detect and eliminate computer viruses using a group of email-scanning servers and a recipient's email gateway
US20020178373Apr 16, 2001Nov 28, 2002Randice-Lisa AltschulComputer virus rejection system and method
US20020194489Nov 27, 2001Dec 19, 2002Gal AlmogySystem and method of virus containment in computer networks
US20020194490Jan 30, 2002Dec 19, 2002Avner HalperinSystem and method of virus containment in computer networks
US20030074578Dec 5, 2001Apr 17, 2003Richard FordComputer virus containment
US20030115485 *Sep 20, 2002Jun 19, 2003Milliken Walter ClarkHash-based systems and methods for detecting, preventing, and tracing network worms and viruses
US20030120947Dec 26, 2001Jun 26, 2003Moore Robert EdwardIdentifying malware containing computer files using embedded text
US20030154394Feb 13, 2002Aug 14, 2003Levin Lawrence R.Computer virus control
US20030158905Feb 19, 2003Aug 21, 2003Postini CorporationE-mail management services
US20030167402Aug 16, 2002Sep 4, 2003Stolfo Salvatore J.System and methods for detecting malicious email transmission
US20030172166Mar 8, 2002Sep 11, 2003Paul JudgeSystems and methods for enhancing electronic communication security
US20030172302Mar 8, 2002Sep 11, 2003Paul JudgeSystems and methods for anomaly detection in patterns of monitored communications
US20030191969Mar 31, 2003Oct 9, 2003Katsikas Peter L.System for eliminating unauthorized electronic mail
US20030204569Apr 29, 2002Oct 30, 2003Michael R. AndrewsMethod and apparatus for filtering e-mail infected with a previously unidentified computer virus
US20030233418Jun 18, 2002Dec 18, 2003Goldman Phillip Y.Practical techniques for reducing unsolicited electronic messages by identifying sender's addresses
US20040015718Jul 22, 2002Jan 22, 2004Hostsentinel, Inc.Framework for collaborative suppression of undesirable computer activity
US20040015726Sep 25, 2002Jan 22, 2004Peter SzorPreventing e-mail propagation of malicious computer code
US20040024639Aug 5, 2002Feb 5, 2004Goldman Phillip Y.Direct marketing management on behalf of subscribers and marketers
US20040030913Aug 8, 2002Feb 12, 2004Trend Micro IncorporatedSystem and method for computer protection against malicious electronic mails by analyzing, profiling and trapping the same
US20040054917Aug 30, 2002Mar 18, 2004Wholesecurity, Inc.Method and apparatus for detecting malicious code in the form of a trojan horse in an information handling system
US20040073617 *Sep 4, 2003Apr 15, 2004Milliken Walter ClarkHash-based systems and methods for detecting and preventing transmission of unwanted e-mail
US20040073810Oct 10, 2002Apr 15, 2004International Business Machines CorporationAntiviral network system
US20040083384Aug 20, 2001Apr 29, 2004Ari HypponenMaintaining virus detection software
US20040117648Dec 16, 2002Jun 17, 2004Kissel Timo S.Proactive protection against e-mail worms and spam
US20040128355Dec 25, 2002Jul 1, 2004Kuo-Jen ChaoCommunity-based message classification and self-amending system for a messaging system
US20040128536Dec 31, 2002Jul 1, 2004Ofer ElzamMethod and system for detecting presence of malicious code in the e-mail messages of an organization
US20040158554Feb 10, 2003Aug 12, 2004International Business Machines CorporationPattern matching to validate and classify computer variables to one or more name ranges
US20040158741Feb 7, 2003Aug 12, 2004Peter SchneiderSystem and method for remote virus scanning in wireless networks
US20040186893Jan 30, 2004Sep 23, 2004Fujitsu LimitedAbnormality detection method, abnormality detection program, server, computer
US20040199594Apr 26, 2004Oct 7, 2004Radatti Peter V.Apparatus, methods and articles of manufacture for intercepting, examining and controlling code, data and files and their transfer
US20040210769Apr 17, 2003Oct 21, 2004Cybersoft, Inc.Apparatus, methods and articles of manufacture for computer virus testing
US20040230827Mar 26, 2004Nov 18, 2004Franczek Edward J.Computer virus screening methods and systems
US20040255159Oct 31, 2003Dec 16, 2004Williamson Matthew MurrayPropagation of viruses through an information technology network
US20050055410May 7, 2004Mar 10, 2005Landsman Richard A.Managing electronic messages
US20050081051Oct 9, 2003Apr 14, 2005International Business Machines CorporationMitigating self-propagating e-mail viruses
US20050125667Dec 29, 2003Jun 9, 2005Tim SullivanSystems and methods for authorizing delivery of incoming messages
US20050149749Dec 30, 2003Jul 7, 2005Luc Van BrabantOn-access and on-demand distributed virus scanning
US20050251862Sep 11, 2003Nov 10, 2005Jarmo TalvitieSecurity arrangement, method and apparatus for repelling computer viruses and isolating data
US20050283837Dec 6, 2004Dec 22, 2005Michael OlivierMethod and apparatus for managing computer virus outbreaks
US20060010495Jul 6, 2004Jan 12, 2006Oded CohenMethod for protecting a computer from suspicious objects
US20060265745Jul 17, 2002Nov 23, 2006Shackleton Mark AMethod and apparatus of detecting network activity
US20060288414Mar 17, 2004Dec 21, 2006Seiko Epson CorporationMethod and system for preventing virus infection
JP2005011325A Title not available
JP2005259141A Title not available
WO2005076135A1Jan 9, 2004Aug 18, 2005Internet Crimes Group IncInformation security threat identification, analysis, and management
WO2005116804A2Jan 14, 2005Dec 8, 2005Self Repairing Computers IncIsolated multiplexed multi-dimensional processing in a virtual processing space having virus, spyware, and hacker protection features
WO2005124600A2Jun 10, 2005Dec 29, 2005Steven DornerMethod and apparatus for detecting suspicious, deceptive, and dangerous links in electronic messages
WO2006009620A1Jun 7, 2005Jan 26, 2006Ironport Systems IncMethod and apparatus for managing computer virus outbreaks
Non-Patent Citations
Reference
1"FileEXT Facts" Published Nov. 23, 2003 as verified by the Internet Archive (3 pages) http://web.archive.org/web/20031123132118/http://filext.com/faq/idx/0/017/article/.
2"Majordomo FAQ," Oct. 20, 2001.
3"Spam Guard Network-eMail-Spam Filtering Desktop Software" Published May 27, 2002 as verified by the Internet Archive. http://web.archive.org/web/2002052727012857/http://www.spamguard.net/.
4"Using the Rules Wizard," Sams Teach Yourself Microsoft® Outlook(TM) 2000 in 10 Minutes, © Sams Publishing, 2000.
5"Vispa Introduce Mail Guardian spam & virus fitlering" Published Apr. 14, 2004 from M2 Presswire. http://goliath.ecnext.com/coms2/gi-0199-226559/Vispa-introduce-Mail-Guardian-spam.html.
6"WindowsSecurity.com Email Security Testing Zone" Published Feb. 7, 2003 and Mar. 4, 2003 as verified by the Internet Archive (11 pages) http://web.archive.org/web/20030207121425/http://www.windowsecurity.com/emailsecuritytest/ and http://web.archive.org/web/20030304211950/www.windowsecurity.com/emailsecuritytest/faq.htm.
7"Spam Guard Network—eMail-Spam Filtering Desktop Software" Published May 27, 2002 as verified by the Internet Archive. http://web.archive.org/web/2002052727012857/http://www.spamguard.net/.
8"Vispa Introduce Mail Guardian spam & virus fitlering" Published Apr. 14, 2004 from M2 Presswire. http://goliath.ecnext.com/coms2/gi—0199-226559/Vispa-introduce-Mail-Guardian-spam.html.
9Adam Turner. "Canning Spam" Published Apr. 6, 2004. 2004 Sydney Morning Herald. (5 pages) http://www.smh.com/au/articles/2004/04/05/1081017087281.html.
10B.R. Gaines, Behaviour/Structure Transformations Under Uncertainty, Mar. 1976.
11Basis Technology, Language Identifier, Automatically Identify the Language and Encoding of Incoming Text, 2004, http://www.basistech.com/language%2Didentification/.
12Byrne, Julian, "My Spamblock," Google Groups Thread (Jan. 19, 1997).
13Cheeseman et al. AAAI88, The Seventh National Conference on Artificial Intelligence, Bayesian Classification, Aug. 21-28, 1988, vol. 2.
14Collins, et al., Efficient Induction of Finite State Automata, 1996.
15Crocker, David H., "RFC 822: Standard for the Format of ARPA Internet Text Messages," orginally published Aug. 13, 1982, http://www.faqs.org/ftp/rfc/pdf/rfc822.txt.pdf.
16Dana Angluin, Learning Regular Sets from Queries and Counterexamples, 1987.
17Dwork, Cynthia, et al. "Pricing via Processing or Combating Junk Mail," CRYPTO '92, Springer-Verlag LNCS 740, pp. 139-147, 1992.
18Graham, Paul. "A Plan for Spam." Published Aug. 2002 (8 pages). http://www.paulgraham.com/spam.html.
19Graham, Paul. "Better Bayesian Filtering." Pubilshed Jan. 2003 (13 pages). http://www.paulgraham.com/better.html.
20Guilmette, Ronald F., "To Mung or Not to Mung," Google Groups Thread (Jul. 24, 1997).
21Holtzman, Carey. "Spam Attack? Bayesian Filters to the Rescue!" Published Aug. 9, 2004 (7 pages). http://www.crn.com/white-box/59200920;jsessionid=E32QCZFQCXRMVQE1GHPCKHWATMY32JVN.
22Ian Betteridge, Windows, JPEG Exploit Ventures into the Wild, Sep. 28, 2004, http://www.eweek.com/article2/0,1759,1659777,00.asp.
23Ironport, Press Release, Iron Port Systems Introduces "Virus Outbreak Filters" to Predict New Outbreaks, Protect Customer Networks, Jun. 14, 2004.
24Joel Snyder, Definition of Zero Day Protection, Aug. 9, 2004, http://seclists.org/lists/focus-ids/2004/Aug/0046.html.
25Kaspersky Lab, Review of 2004 Shows Malware Continuing at Unrelenting Pace, http://www.kaspersky.com/news?id=155897089.
26Langberg, Mike, "Spam Foe Needs Filter of Himself," (Email Thread Dated Apr. 5, 2003).
27Lee et al., RFC 1738, Uniform Resource Locators (URL), Dec. 1994.
28Louis Chua, Zero-Day Attacks, Computer World, vol. 10, Issue No. 22, Jun. 9-22, 2004.
29McCullagh, Declan, "In-Boxes that Fight Back," News.com, May 19, 2003.
30Murhammer, Martin et al. "IP Network Design Guide" 1999 IBM Redbooks. Excerpt from Chapter 6 (32 pages).
31Paul Festa. "ISP software puts squeeze on spam" Published Jun. 16, 2003. 2003 Cnet News. (3 pages) http://news.cnet.com/ISP-software-puts-squeeze-on-spam/2010-1032-3-1017930.html.
32Paul Festa. "ISP software puts squeeze on spam" Published Jun. 16, 2003. 2003 Cnet News. (3 pages) http://news.cnet.com/ISP-software-puts-squeeze-on-spam/2010-1032—3-1017930.html.
33Postel, Jonathan, "RFC 821: Simple Mail Transfer Protocol," originally published Aug. 1982, http:www.faqs.org/ftp/rfc/pdf/rfc821.txt.pdf.
34Skoll, David F., "How to Make Sure a Human is Sending You Mail," Google Groups Thread (Nov. 17, 1996).
35Templeton, Brad, "Viking-12 Junk E-Mail Blocker," (believed to have last been updated Jul. 15, 2003).
36Various definitions for "intrinsic" from Dictionary.com © 1995-2009 by various. (2 pages) http://dictionary.reference.com/dic?q=intrinsic&search=search.
37Von Ahn, Luis, et al., "Telling Humans and COmputers Apart (Automatically) or How Lazy Cryptographers do AI," Communications to the ACM, Feb. 2004.
38Webster's II New Riverside Dictionary definition of "intrinsic" © 1984, 1988 Houghton Mifflin Co. (4 pages).
39Wikipedia article for "Echelon (signals intelligence)" as originally published on Mar. 27, 2004 (2 pages). http://en.wikipedia.org/w/index.php?title=Enchelon-%28signals-intelligence%29&oldid=3030420&printable=yes.
40Wikipedia article for "Echelon (signals intelligence)" as originally published on Mar. 27, 2004 (2 pages). http://en.wikipedia.org/w/index.php?title=Enchelon—%28signals—intelligence%29&oldid=3030420&printable=yes.
Referenced by
Citing PatentFiling datePublication dateApplicantTitle
US8479285 *Aug 6, 2008Jul 2, 2013Oracle International CorporationMethod, computer program and apparatus for controlling access to a computer resource and obtaining a baseline therefor
US8666731Sep 22, 2010Mar 4, 2014Oracle International CorporationMethod, a computer program and apparatus for processing a computer message
US20090044256 *Aug 6, 2008Feb 12, 2009Secerno Ltd.Method, computer program and apparatus for controlling access to a computer resource and obtaining a baseline therefor
Classifications
U.S. Classification726/24, 709/225, 709/224, 726/25, 726/22, 709/223
International ClassificationG06F11/30
Cooperative ClassificationH04L12/585, H04L63/1416, H04L63/145, G06F21/56, H04L51/12, G06F21/562
European ClassificationH04L12/58F, G06F21/56B, G06F21/56, H04L63/14A1, H04L63/14D1, H04L51/12
Legal Events
DateCodeEventDescription
May 8, 2012ASAssignment
Owner name: AVENTAIL LLC, CALIFORNIA
Free format text: RELEASE OF SECURITY INTEREST IN PATENTS RECORDED ON REEL/FRAME 024823/0280;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH;REEL/FRAME:028177/0126
Effective date: 20120508
Owner name: SONICWALL, INC., CALIFORNIA
Free format text: RELEASE OF SECURITY INTEREST IN PATENTS RECORDED ON REEL/FRAME 024776/0337;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH;REEL/FRAME:028177/0115
Aug 3, 2010ASAssignment
Free format text: SECURITY AGREEMENT;ASSIGNORS:AVENTAIL LLC;SONICWALL, INC.;REEL/FRAME:024776/0337
Effective date: 20100723
Owner name: CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH, NEW YORK
Free format text: PATENT SECURITY AGREEMENT (SECOND LIEN);ASSIGNORS:AVENTAIL LLC;SONICWALL, INC.;REEL/FRAME:024823/0280
Jul 28, 2010ASAssignment
Free format text: CHANGE OF NAME;ASSIGNOR:PSM MERGER SUB (DELAWARE), INC.;REEL/FRAME:24755/91
Owner name: SONICWALL, INC.,CALIFORNIA
Free format text: MERGER;ASSIGNOR:SONICWALL, INC.;REEL/FRAME:24755/83
Effective date: 20100723
Owner name: PSM MERGER SUB (DELAWARE), INC.,CALIFORNIA
Owner name: SONICWALL, INC., CALIFORNIA
Free format text: CHANGE OF NAME;ASSIGNOR:PSM MERGER SUB (DELAWARE), INC.;REEL/FRAME:024755/0091
Owner name: PSM MERGER SUB (DELAWARE), INC., CALIFORNIA
Free format text: MERGER;ASSIGNOR:SONICWALL, INC.;REEL/FRAME:024755/0083
Feb 7, 2008ASAssignment
Owner name: MAILFRONTIER, INC., CALIFORNIA
Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:RIHN, JENNIFER;OLIVER, JONATHAN J.;REEL/FRAME:020486/0665;SIGNING DATES FROM 20050802 TO 20050803
Owner name: SONICWALL, INC., CALIFORNIA
Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:MAILFRONTIER, INC.;REEL/FRAME:020486/0653
Effective date: 20070629
Owner name: SONICWALL, INC.,CALIFORNIA
Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:MAILFRONTIER, INC.;US-ASSIGNMENT DATABASE UPDATED:20100216;REEL/FRAME:20486/653
Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:RIHN, JENNIFER;OLIVER, JONATHAN J.;SIGNING DATES FROM 20050802 TO 20050803;REEL/FRAME:020486/0665